pKAS: A Secure Password-Based Key Agreement Scheme for the Edge Cloud

For the simplicity and feasibility, password-based authentication and key agreement scheme has gradually become a popular way to protect network security. In order to achieve mutual authentication between users and edge cloud servers during data collection, password-based key agreement scheme has attracted much attention from researchers and users. However, security and simplicity are a contradiction, which is one of the biggest difficulties in designing a password-based key agreement scheme. Aimed to provide secure and efficient key agreement schemes for data collecting in edge cloud, we propose an efficient and secure key agreement in this paper. Our proposed scheme is proved by rigorous security proof, and the proposed scheme can be protected from various attacks. By comparing with other similar password-based key agreement schemes, our proposed scheme has lower computational and communication costs and has higher security.


Introduction
With the dawn of the Internet of everything, Internet of things (IoT) has become to obtain the leading strategic position in research and development in the world. Even though various countries in the world pay attention to the development of the IoT, the influx of diverse traffic and the need of diversified application scenario has not only put forward new challenge for the centralized cloud computing architecture nowadays but also drove the emergence of the cloud computing paradigm [1,2].
In the era of Internet of ings, mobile devices are no longer simple mobile phones, tablets, etc., but include more abundant augmented/virtual reality devices, intelligent medical device, and moving vehicle. e application scenario also transfers from voice/video communication and other services to virtual space experience, intelligent manufacturing, and the Internet of vehicles [3,4]. In cloudbased services, data transmission speed will be affected by network traffic, and heavy traffic will lead to long transmission time, thus increasing power consumption cost. erefore, the adoption of mobile edge computing (MEC) can meet the needs of IoT devices.
As shown in Figure 1, the collection and processing of data is a very important part of the Internet of ings. However, all collected data will be transmitted to the cloud server and then rely on the server's computing power for data processing and analysis. is will cause the server to be heavily loaded and prone to failure or downtime. At the same time, the increase in the amount of data will also increase the cost of the storage server. In addition, because the network is limited by the network bandwidth and speed, the network bandwidth is put under pressure when a large amount of monitoring data is transmitted, and the data may have large transmission delays and packet loss during transmission. Edge computing data provides format conversion, caching, processing, analysis, and transmission services, and the load of cloud servers improves the efficiency of data processing. e edge cloud includes IoT gateways and collectors. ese devices together form an edge node network and provide lightweight computing power for the edge layer of the system.
In the MEC-based Internet of ings, massive amounts of data are generated by a large number of sensors and various heterogeneous devices, and all storage devices are provided by different third-party vendors. Due to the distributed nature of MEC, data are stored in different network edges, which will increase the risk of data being attacked. For example, unauthorized users or opponents may modify or abuse the data uploaded in the storage, which will lead to data leakage and other problems. In order to solve these problems, this paper proposes identity verification based on password-based key agreement.
is scheme can ensure both sides' identity authentication and data security.
In order to protect the data in the edge cloud from being tampered with, the administrator of the edge cloud server needs to authenticate with it when operating the server, so the sever can determine whether the administrator has been faked. To improve the security and verifiability of messages, Zheng [5] proposed a signcryption scheme, which can simultaneously sign and encrypt.
e key agreement protocol is the most commonly used method for two or more parties to communicate. Features of the protocol ensure that the data to be communicated are confidential, secure, and complete [6][7][8][9][10]. e protocol is to establish a session key jointly by two or more entities. e result of key agreement will be affected by any participant, and no trusted third party is required in the process. e session key is obtained by calculating the parameters generated by the participants. In order to enable both parties to authenticate each other, an authentication key agreement is proposed, and the protocol established a session key [11][12][13].
In 2005, the Diffie-Hellman key exchange in the encryption assumption protocol system is a secure and scalable authentication key exchange agreement, which performs key control and management during transmission [14][15][16]. In 2009, the elliptic curve cryptosystem (ECC) authentication scheme based on no pairing and few certificates was presented. e scheme was based on mobile devices communication and ID authentication with key agreement protocol. Furthermore, the proposed scheme is also to overcome more attacks [13,[17][18][19][20]. Many scholars believed that large prime numbers is difficult for hardware implementation of the elliptic curve cryptosystem, while the binary field was known as suitable [21,22] in 2010-2012. In order to ensure the confidentiality and integrity of the sent and received messages, the authentication key agreement protocol must include a strong encryption algorithm.
e key agreement protocol based on elliptic curve cryptography provides an important development for confidentiality, integrity, and user anonymity.
ere are two types of key agreement protocols according to different authentication methods: passwordbased key agreement protocols and public-key-based key agreement protocols. e password-based authentication key agreement protocol was first proposed by Bellovin and Merritt [23]. In this protocol, both parties share a password in advance, which is used to authenticate each other's identity during communication and negotiate a short-term  session key. Public key-based key agreement can negotiate a session key through signature or public key verification. In this paper, password-based key agreement protocol is studied [15].

Motivations and Contributions.
e proposed pKAS can ensure the security of the message and the authentication of the user identity when two parties communicate. We list our contributions as follows: First, we put forward a secure password-based key agreement pKAS based on ECC for mutual authentication between the user and edge server. e proposed pKAS only needs to deliver the message twice, which greatly saves communication bandwidth. And, in this scheme, we use signcryption, signature verification, and hash operation etc., to ensure the confidentiality and integrity of the message, as well as the anonymity of the identity. Second, we conduct strict security analysis on the proposed pKAS and compare it with other related schemes. e results show that the presented pKAS can resist various attacks.
ird, by comparing communication and calculation costs, the proposed pKAS has lower cost and is more secure than recent similar schemes.

Organization of the Paper.
e structure of the paper is as follows. Sections 2 and 3 present the related works and the preliminaries. e system model and security requirements of the scheme proposed in this paper are shown in Section 4. Section 5 presents the proposed password-based key agreement scheme. Section 6 presents the performance and security analysis. Section 7 describes conclusion, future work, conflicts of interest, and data availability respectively.

Related Works
With the development of Internet technology, security in communications has become more and more significant. erefore, how to identify remote users has become one of the most significant issues in the public network. In order to figure out the problem, many schemes have been presented. Lamport [24] first proposed the password-based scheme to ensure remote parties authentication scheme. Subsequently, many password-based key agreement schemes were proposed in [25][26][27][28][29].
In 2009, Xu et al. [25] presented an improved remote user authentication and key agreement scheme based on passwords and smart cards, and they certificated that their scheme is secure. Sood et al. [26] found that Xu et al.'s scheme is ineffective against password guessing attacks and impersonation attacks. Subsequently, Sood et al. put forward an improved authentication scheme. However, in 2012, Chen et al. [27] analyzed and pointed out that the scheme of Sood et al. only provided a single-party authentication function, and the legitimacy of the remote server was not authenticated. As a consequence, an improved key agreement scheme with stronger security was presented by Chen et al.\enleadertwodots, and the scheme achieved remote parties' authentication. Furthermore, they stated that their scheme could resist kinds of attacks. In those authentication schemes proposed by Sood et al., Chen et al., and many scholars [30][31][32], users must interact with the remote server to transmit information and repeat the login process and authentication process instead of completing the password change process on the client when he/she wants to change the password. In addition, these solutions will not find the wrong password entered during the login process. e wrong password can only be found in the final authentication process after a series of calculations and communications. Obviously, these schemes were inefficient and user-unfriendly, and failed to verify wrong password. Recently, Li et al. [28] analyzed that Chen et al.'s scheme could not ensure forward security and does not achieve perfect user anonymity. In addition, they proposed a scheme based on password and smart card, and the scheme can enhance remote user authentication and key agreement.
e message transmitted between the sender and the receiver may be eavesdropped by the adversary through public channels. e identity of users should be kept confidential during message transmission. Otherwise, the adversary will track the user by collecting the user's identity information. Some interesting bilinear pairing-based and ECC-based key agreement protocols were proposed in recent years [33][34][35][36]. Irshad et al. [33] presented the scheme which used bilinear pairing operations in the interaction between mobile devices and servers. A method that can use mobile devices to access the server was proposed by Tsai and Lo [35], but later proved that the scheme cannot resist impersonation attacks and man-in-themiddle attacks. It is a pity that Xiong et al. [37] believe that Irshad et al.'s scheme is very computationally expensive for mobile devices. e protocol based on ECC is more efficacious because point addition or multiplication in elliptic curves is more efficient than modular exponents. In addition, the elliptic curve encryption protocol which is based on the difficulty of solving the elliptic curve discrete logarithm problem (ECDLP) is more secure. In 2017, a lightweight password-base key agreement protocol was proposed by Mahmood et al. [34]. But later, the program was verified to have some security issues, such as no anonymity, no resistance to replay attacks, and no guarantee of data confidentiality. Recently, a key agreement scheme based on ECC was presented by Kaur et al. [36], and they stated their scheme can overcome many kinds of attacks. Nonetheless, we strictly analyzed and found the scheme of Kaur et al. proposed suffered from no resistance forgery attack and insider attack.

One-Way Hash Function.
Let message m be a message that requires a hash value. e length of m is a variable, while h is the fixed length. Given m, it is easy to obtain h. However, given h, it is infeasible to obtain m.

Elliptic Curve Cryptosystem (ECC).
In 1985, the elliptic curve was used for data encryption by Miller firstly. Later, Koblitz based on the elliptic curve discrete logarithm problem (ECDLP) built a new encryption system, which is called the elliptic curve cryptosystem (ECC). ECC has lower computational overhead than other public key cryptographies such as RSA. Since then, ECC has been widely used in cryptographic protocols and security schemes. e following describes the basic knowledge of ECC and computational difficulties in ECC.
Elliptic curve cryptography is a public key cryptography method based on elliptic curve mathematics. e commonly used expression of elliptic curve in finite field F p is: Let Q, R be the two points in E p (a, b). Q + R is defined as follows: draw a straight line passing through Q, R and the elliptic curve to intersect point P, then Q + R � −P.
Let Q be a point in E p (a, b), and the multiples of Q are defined as follows: draw a tangent to the elliptic curve at point Q, and set the tangent to intersect the elliptic curve at

Complexity Assumptions.
e security foundation of ECC is an elliptic curve discrete logarithm problem (ECDLP), which can be defined as follows.
ECDLP: assume two random points P 1 and P 2 in (E/E p ), It is easy to compute P 2 if knows k and P 1 , while it is infeasible to compute k if knows P 1 and P 2 .

System Model.
On analysis of the requirements of communication between the user and edge server, there are two types of roles related in our system, such as users communicating with server, a trust authority (TA) can be regarded as a completely trusted administrator and cannot be compromised by any adversary. With a view to user authentication and key agreement, a user (Assumed be U i ) must be registered in the TA, and then he/she can perform mutual authentication and key agreement with edge cloud server other users (such as U j ) only using the password and smart card. e network model of our system can be illustrated in Figure 2. Before the users communicate with the edge server, the users must register with the TA through a secure channel and store the corresponding registration information on her/his smart cards. After successful registration, users can perform mutual authentication and key negotiation through edge server and implement operations such as secure data management on the edge cloud.

Security Requirements.
Before analyzing security requirements, let us assume adversary's capabilities based on the application. An adversary A generally contains the following capabilities: (i) e open channel can be controlled by A, that is to say, the messages through the open channel A can be deleted, intercepted, modified, and resent (ii) A can traverse the password space in polynomial time, that is, if it has known any other secret information, A can guess the password by brute force attack (iii) A can obtain the user's password through a malicious terminal and can also extract data that are stored in smart card On the capacities of the adversary A, the security requirements of password-based key agreement scheme should include forward secrecy and must be resistant to know attacks, such as offline password guessing attack, replay attack, user impersonation attack, server spoofing attack, and parallel attack. Furthermore, the scheme must be mutual authentication and anonymity.

The Proposed Scheme (pKAS)
In this section, a key agreement scheme based on password (called pKAS for short) by using ECC was proposed. ere are no bilinear paring operations in pKAS. Overall, pKAS has four phases: system initial phase, registration phase, login and key agreement phase, and offline password change phase. For simplicity, we list the symbols used in this paper and their corresponding meanings in Table 1.
Next, the following sections present the four phases of the proposed scheme. TA selects a big prime p; then, in finite field, F p constructs a nonsingular ecliptic curve E p (a, b) and chooses base points P on E p (a, b) and generates a finite cycle additive group G of order q with P.

Registration Phase.
Users, edge cloud sever, and TA complete the registration phase together. Assume the current user U i 's identity be ID i , the registration is completed as follows: Step R1: U i sets his password PW i , then chooses a random number x i , a i0 ∈ Z * q , and computes X i � x i P, sends ID i , X i to TA in a channel that an adversary cannot eavesdrop on.
Step R2: when TA receives ID i , X i , it will store ID i , X i in the server.

Login and Key Agreement Phase.
We assume there are two users, user U i and edge cloud sever U j in this phase. ey login by using their ID and password, then authenticate, and consult with session key each other.
Step A1: U i inputs his/her ID i ′ and PW i ′ , then smart cart computes a i ′ � h(h(ID i )⊕h(PW i ′ � � � �a i0 ) mod κ), and checks whether a i ′ � a i holds or not. If it does not, the session is terminated.
Step A2: Step A3: after receiving and checks whether C i � σ i P − f i ′ X i holds or not. If not, U j terminates the session. U j chooses C j ∈ Z * q and computes C j � c j P, Step A4: after receiving C j , f j , σ j , t j from U j , U i checks whether current timestamp t i ′ meets t i ′ − t j < Δt or not, if not, U i terminates the session, else U i computes At last, U i and U j have agreed an identical session key sk ji � sk ij . Figure 3 presents the flowchart of login and key agreement phase.

Offline Password Change Phase.
In order to obtain a better user experience, while meeting the high requirements of security and efficiency, the user can complete this phase locally in the proposed scheme as follows: Step C1: in order to verify the user's identity, the user must enter ID i , PW i in the smart card.
Step C2: the smart card computes a i ′ � h(hID i ) ⊕ h(PW i ′ � � � �a i0 ) mod κ and checks if a i ′ and a i are equal. If not, the system will terminate the session. Else, it means the correctness of ID i and PW i is κ − 1/κ ≈ 99.61/100, κ � 2 8 , and it can go to the next step.
Step C3: user U i inputs new password PW new

Security and Performance Analysis
Security analysis and proof of our scheme is presented in this section. As well as the proposed pKAS is proven to be able to resist all kinds of attacks. Besides, we analyze and compare the communication calculation and bandwidth consumption of similar schemes.

Security Analysis.
In this section, the details of security analysis are described as following.

Proposition 1.
e proposed pKAS scheme can be secure against offline password guessing attack.
Proof. Assume an adversary A has got U i 's smart card and obtained the data stored in the card. he/she can launch password guessing attack by the following steps: Step D1: A guesses PW * i from password dictionary space and ID i from identity diction space Step D2: A retrieves a i0 and a i and computes Step D3: A checks whether a i ′ � a i holds or not Step D4: A repeats the step D1 to D3 until a i ′ � a i holds at is, A can guess correct ID i and PW i . However, A is still not sure they are the same identity and password. en, A has to execute online guessing attack to test the correctness both. However, we use Hoeny list to prevent online Proof. In order to eliminate the threat of online password guessing attack, Hoeny_list is adopted in the proposed scheme. As analysis of Proposition 1, the proposed pASK can use Hoeny_list to prevent online guessing attack. erefore, the proposed pKAS scheme can be secure against online password guessing attack.

Proposition 3.
e proposed pKAS scheme can provide anonymous interactions among the users U i and edge cloud sever U j , and no adversary A can obtain both identity information during login and key agreement phase.
Proof. In the login and key agreement phase of pKAS, user U i 's real identity ID i is hidden in message If an adversary A can reveal the ID i from the messages, he/she should solve the ECDLP problem because PID i include ECDLP in their construction. erefore, the proposed pKAS can provide anonymous interactions during user login and key agreement. Proof. Assume an adversary A has obtained the smart card and user's password and identity. However, A cannot retrieve the previously existing session key without knowing c i because A should solve the ECDLP problem. Hence, the proposed pKAS scheme can give strong forward secrecy.

Proposition 5.
e proposed pKAS scheme can be secure against forgery attack.
Proof. In the proposed scheme, U j can check that message M 1 has been forgery by computing ID * � PID * ⊕h(x j C i � � � �t i ), , and checking C i � σ i P − f i ′ X i holds or not. U i authenticates U j by computing holds or not. When A modifies the message during the conversation, the tampered message cannot be verified. As a consequence, the proposed pKAS scheme can be secure against forgery attack. □ Proposition 6. e proposed pKAS scheme can provide mutual authentication.
Proof. In the presented scheme, U j and U i verify message M 1 and M 2 by checking equation  Proof. In the proposed pKAS scheme, we use timestamps and random numbers to prevent replay attack. Messages M 1 and M 2 include timestamps t i and t j , respectively, which is a classic way to stop replay attacks. Random numbers are also used to prevent relay attack because users and server can check the validity of random number by verification algorithm each time and adversary A still cannot construct valid session key. Hence, the presented pKAS can be secure against replay attack.

Proposition 8.
e proposed pKAS can be secure against impersonation attack.
Proof. Let A can get U i 's smart card and know the data in the card by some way. However, A has to possess PW i and ID i into smart card to generate a legal message Without the two factors (PW i and ID i ), A cannot compute a correct a i to pass the verification of smart card that A cannot proceed to the next step to impersonate U i to communicate with other. erefore, the proposed pKAS can security resist impersonation attack.

Proposition 9.
e proposed pKAS can be secure against parallel attack.
Proof. Parallel attack usually occurs when an adversary A constructs a new conversation to impersonate a legal user by reusing historical messages that he/she intercepted in a public channel. However, A should know the parameters of messages or he/she cannot send a correct access request and gain a session key. However, A cannot obtain the random number that is chosen by users. As a result, the proposed pKAS can be secure against parallel attack.

Proposition 10.
e proposed pKAS can be secure against insider attack.
Proof. As shown in the user registration phase, user U i send Because c j C i � c i C j � c i c j P, U i and U j can compute an identical session key sk ji � sk ij . erefore, the proposed pKAS scheme can achieve key agreement. □ Proposition 13.
e proposed pKAS scheme can achieve offline password change.
Proof. As shown in introduction of the proposed scheme, offline password change phase is provided. Each user can achieve password change locally. If user inputs correct ID and PW, the correctness of ID i and PW i is κ − 1/κ ≈ 99.61/100, κ � 2 8 , i.e., user has a high probability of completing password local change. As a consequence, the proposed pKAS scheme can achieve offline password change. □ 6.2. Performance Analysis. In this section, we compare our scheme with similar schemes in terms of security performance, communication consumption, and computing consumption. e results indicate that pKAS is more secure and effective than other similar schemes. In addition, the presented pKAS has lower communication and computation costs. F1, F2,  F3, F4, F5, F6, F7, F8, F9, F10, F11, and F12 are the functionality of "be secure against off-line password guessing attack," "be secure against online password guessing attack," "provide anonymous interactions," "provide forward secrecy," "be secure against forgery attack," "provide mutual authentication," "be secure against replay attack," "be secure against impersonation attack," "be secure against parallel attack," "be secure against insider attack," "achieve user untraceability," "achieve key agreement," and "achieve offline password change," respectively. In Table 2, we compare the security features of pKAS with related scheme, such as Irshad et al. [33], Tsai and Lo [35], and Kaur et al. [36].

Comparison of the Computation Cost.
It is more convenient to define T BP , T ME , T PM , T PA , and T HO are the running time (in ms) of a single bilinear pairing operation, modular exponentiation operation, elliptic curve point multiplication, point addition, and hash operation, respectively. In Table 3, we list the computing time of the server and the mobile terminal separately. e cost in Table 3 is based on [36]. We use simulation Alibaba's cloud server, and its configuration is Intel(R) Xeon(R) CPU E5-26300@ 2.30 GHz, 1 GB RAM and Ubuntu 14.04. In addition, the smartphone we use is configured with 2 GHz ARM CPU armeabi-v7a, 300 MiB RAM and Android 4.4 to simulate the mobile terminal.

Security and Communication Networks
According to the time computation by each operation in Table 3, we compared the time in [33,35,36], and pKAS schemes, as shown in Table 4.

Comparison of the Communication Cost.
e comparison results in Table 4 are based on assumptions such as result of hash function to be 160 bits, random number to be 128 bits, identifier to be 64 bits, time stamp to be 32 bits, and encryption/decryption and ECC point to be 320 bits. Table 5 shows a comparison of the communication cost between pKAS and other schemes [33,35] In summary, the presented pKAS which consumes lower communication and calculations than [33,35]. ough the cost of [36] is lower than pKAS, the scheme cannot be secure against forgery attacks and insider attack, and its bandwidth consumption is relatively large. Furthermore, pKAS is more secure than [33,35,36]. So, pKAS is more suitable for user and server to verify each other.

Conclusion and Future Work
Aiming at the practical problems encountered in the key agreement between the user and server in the edge cloud computing environment, we propose a new password-based key agreement scheme. We use ECDLP to construct user anonymity and forward secrecy. By comparing security, communication, and calculation costs, the proposed pKAS has better security and lower cost. Furthermore, pKSA also meets all 12 security requirements.
Although pAKS is more secure and efficient than similar schemes, the lightweight key agreement scheme, such as no point multiply operation, is more favored. It is very challenging to design a secure and lightweight scheme. is will be the direction of our next research.
Data Availability e data supporting the results of this study can be obtained from the corresponding author.

Conflicts of Interest
P. Liu is currentlty a lecturer at the Department of Computer Technology and Application, Qinghai University, Xining. Her research interest includes network protocol and protocol security (e-mail: 247750940@qq.com). Syed Hamad Shirazi is currentlty an Assistant Professor at the Department of Information Technology, Hazara University, Baffa, Pakistan. His research interest includes image processing and image security (syedhamad@hu.edu.pk). W. Liu is currently an assistant at the Department of Computer Technology and Application, Qinghai University, Xining. Her research interest includes network protocol and protocol security (e-mail: 1007759705@qq.com). Y. Xie is currently a Professor at the Department of Computer Technology and Application, Qinghai University, Xining. His research interest includes network protocol and protocol security (e-mail: mark.y.xie@qq.com).